Profile Applicability
- Level 1
Description:
S3 Bucket Policies can be configured to ensure that data is only accessible through secure communication channels. One such configuration is to deny all HTTP requests, allowing only HTTPS (secure HTTP) requests to access the S3 bucket. This is critical for ensuring the confidentiality and integrity of data during transmission by enforcing the use of encrypted communication.
By setting the S3 bucket policy to deny HTTP requests, you ensure that all data transmitted to and from the bucket is encrypted using SSL/TLS, reducing the risk of data interception and man-in-the-middle attacks.
Rationale:
Denying HTTP requests and allowing only HTTPS provides the following benefits:
Security: Prevents the transmission of data over unencrypted HTTP, ensuring that all data access is encrypted using HTTPS.
Compliance: Meets security and regulatory standards (e.g., HIPAA, PCI-DSS) that require encryption of data in transit.
Protection against interception: Reduces the risk of data being exposed to unauthorized parties during transmission.
Without this policy, data sent via HTTP is transmitted in plaintext and can be intercepted, increasing the risk of unauthorized access and data breaches.
Impact:
Failure to configure the S3 Bucket Policy to deny HTTP requests can result in:
Data exposure: Sensitive data transmitted over HTTP can be intercepted by attackers.
Non-compliance with security standards that mandate encryption of data in transit.
Security vulnerabilities: Allowing HTTP requests can lead to man-in-the-middle attacks, compromising data integrity and confidentiality.
By denying HTTP requests, you ensure that only secure, encrypted connections are used to interact with your S3 bucket.
Default Value:
By default, S3 buckets do not have a policy to block HTTP requests. You must explicitly configure the bucket policy to deny HTTP requests and enforce the use of HTTPS.
Pre-Requisites:
AWS CLI installed and configured
IAM permissions:
s3:PutBucketPolicy
s3:GetBucketPolicy
S3 bucket should be available for policy configuration
Remediation:
Test Plan:
Using AWS Console:
Go to the S3 Console.
Select the S3 bucket you want to configure and go to the Permissions tab.
Under Bucket Policy, check the existing policy to ensure it denies HTTP requests and only allows HTTPS. If the policy is not set, configure it as described below.
Verify that the policy is correctly applied to block HTTP requests.
Using AWS CLI:
aws s3api get-bucket-policy --bucket <bucket-name> --query "Policy" --output text
Implementation Plan:
Using AWS Console:
Create or update the S3 bucket policy to deny HTTP requests:
Go to the S3 Console.
Select the S3 bucket and navigate to the Permissions tab.
Under Bucket Policy, enter the following policy to deny HTTP requests:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}Replace <bucket-name> with the actual bucket name. This policy denies all HTTP requests and allows only HTTPS requests.
Verify the policy:
In the Permissions tab, confirm that the bucket policy has been correctly applied and that it denies HTTP requests.
Using AWS CLI:
Apply the policy to deny HTTP requests:
aws s3api put-bucket-policy --bucket <bucket-name> --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}'Verify the bucket policy:
aws s3api get-bucket-policy --bucket <bucket-name> --query "Policy" --output textBackout Plan:
Using AWS Console:
If the bucket policy causes access issues:
Go to the S3 Console.
Modify the Bucket Policy to allow HTTP requests or remove the HTTPS-only policy.
Save the changes to allow access via HTTP if needed for certain use cases.
Modify bucket settings to allow both HTTP and HTTPS or adjust the access control as necessary.
Using AWS CLI:
Temporarily disable the policy blocking HTTP requests:
aws s3api put-bucket-policy --bucket <bucket-name> --policy '{}'Re-enable the policy once issues are resolved:
aws s3api put-bucket-policy --bucket <bucket-name> --policy '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyHTTPRequests",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}'